Vendor Due Diligence
Why is Vendor Due Diligence Important?
Even more so with COVID-19, businesses of all shapes and sizes are increasingly reliant on third-party vendors to deliver business-critical services, including storing transferring and/or processing sensitive data. But outsourcing key business processes to vendors can introduce substantial risk, which many companies struggle to evaluate and manage.
As data breach reports overwhelmingly show, your information security posture may be only as strong as the security of your weakest vendor. Likewise, your ability to manage your vendor risk exposure is only as strong as your vendor due diligence program.
When vendor issues impact your business and brand, your organization ultimately bears the responsibility and the consequences—such as compliance penalties, recovery costs and reputational damage. This makes vendor due diligence a basic aspect of operational and financial responsibility to your stakeholders, and the backbone of your third-party risk management (TPRM) activities.
What is Vendor Due Diligence?
The US Federal Deposit Insurance Corporation (FDIC) defines vendor due diligence as: “a review of all available information about a potential third party, focusing on the entity’s financial condition, its specific relevant experience, its knowledge of applicable laws and regulations, its reputation, and the scope and effectiveness of its operations and controls.”
The purpose of a vendor due diligence review is to give you the background you need to decide whether establishing or continuing a relationship with a vendor is worth the risk. You’d typically review a vendor during the selection process, and on a periodic basis (e.g., yearly or at contract renewal time) thereafter.
You might also need to review specific vendors anytime your risk profile changes significantly in relation to them (e.g., you make major changes to your IT environment, like supporting a remote workforce) or when their risk profile changes (e.g., they face legal action, disclose a data breach, announce layoffs, or are involved in a merger).
What is Vendor Due Diligence Questionnaire?
Given its importance to your operations, your vendor due diligence review process needs to be as in-depth and thorough as possible, especially for critical and/or high-risk vendors. Vendor due diligence questionnaires are one way to reduce the time and effort required to adequately assess vendor risk, versus more resource-intensive procedures like onsite audits.
Using high-quality vendor due diligence questionnaires can help accelerate your third-party risk management program by enabling you to quickly evaluate key risks without belaboring your staff (and your vendors’) with a barrage of unnecessary questions. Vendor due diligence questionnaires can be part of a software-as-a-service (SaaS) offering or can be as simple as an Excel spreadsheet.
You may initially want to create a “one size fits all” vendor due diligence questionnaire, or even use a premade template. But you will almost certainly get better results with less effort by customizing questionnaires or creating several different questionnaires based on vendor criticality, vendor risk level, vendor service category and/or your compliance needs.
Whatever its format, the goals of a vendor due diligence questionnaire can include reducing vendor due diligence cost and complexity, as well as standardizing how you compare and evaluate vendors. Vendor due diligence questionnaires can also help reduce procurement lead time and time-to-benefit for the vendor relationship.
What are some of the information types that vendor due diligence questionnaires typically collect? Here are a few simplistic examples:
Information security risk
- Have you experienced any data security incidents in the past year?
- Do your cybersecurity controls meet or exceed our own internal standards?
- Can you demonstrate a strong security posture via a recent cybersecurity risk assessment or audit?
- Do you have a business continuity and/or disaster recovery plan in place?
- Have you performed a business continuity or disaster recovery exercise in the past year?
- What regulations, including new regulations, are you required to comply with?
- Do you have a compliance program in place?
- Are you currently subject to any regulatory action?
- Who are your critical third parties?
- Have any changed in the past year, and why?
- Are your third parties contractually mandated to meet your security guidelines?
- Has your company been profitable over the past year?
- Has your product/service market share remained stable or grown in the past year?
- Have you made any major changes in your product/service delivery or technology in the past year?
- Are you subject to any lawsuits or other legal actions currently or in the past year?
- Have you been subject to a high number of customer complaints in the past year?
Why Conduct Vendor Due Diligence Assessments?
As de facto extensions of your business, vendors interrelate with your systems, data and employees. As such, they invariably expose you to significant financial, compliance and reputational risk that you need to assess and manage to ensure ongoing operations. In fact, a 2019 Ponemon Institute study found that 59% of companies experienced a data breach caused by a vendor within the past year.
Vendor due diligence assessments are your starting point for addressing vendor risk. But despite their criticality, many businesses don’t conduct adequate vendor assessments. For example, almost 25% of businesses don’t even know whether they have recently been impacted by a vendor’s data breach. Many also don’t have an accurate inventory of the vendors they share sensitive data with.
Vendor due diligence assessments are essential to reduce this “not knowing what you don’t know” level of unknown risk exposure. They can also empower your business in several related ways:
- They greatly improve your overall business risk assessment capability
- They enable you to comply with regulations that require vendor due diligence
- They can help you evaluate vendors and potentially tip you off that a different vendor might be a better fit for your organization
What are the Benefits of a Vendor Due Diligence Program?
A vendor due diligence program is all about reducing business risk to an acceptable level. This primarily encompasses the interrelated financial and reputational risks posed by data breaches and post-breach remediation, exfiltration of intellectual property and noncompliance with regulations.
Another benefit of a robust, centralized vendor due diligence program is to ultimately reduce the labor expense and time needed to establish and maintain vendor relationships. Making the process more efficient and standardized eliminates ad hoc/manual tasks and duplication of effort. Even just having a unified vendor due diligence process that covers IT, legal and procurement requirements and information needs can be huge.
In addition, understanding a vendor’s risk profile—especially over time and/or relative to competing providers—can give your team leverage to create more favorable contractual agreements with that vendor. Knowing more about vendors’ business and cybersecurity practices upfront can also help you choose the best vendors in the first place. Both these outcomes will likely save you money and/or lead to better customer experiences and stronger vendor partnerships.
Finally, vendor due diligence programs are increasingly mandated by regulators and therefore help drive compliance. The EU’s General Data Protection Regulation (GDPR), for instance, requires “data controllers” (often the outsourcer) to have appropriate controls in place to protect sensitive data that third-party “data processors” are handling. The overall regulatory focus is unquestionably on driving down third-party risk, and thus many firms will have no choice but to implement a vendor due diligence program within the next few years.
Every business needs standardized, repeatable processes to eliminate barriers to growth and success. Vendor due diligence is one of the most high-priority processes you can put in place. Not only can it can save you money and protect you from unacceptable risks upfront, but also it can deliver a strong return on investment over time in terms of savings and security.
But knowing that vendor due diligence is critical doesn’t make it easy. With over 30 years of combined vendor risk management experience, Pivot Point Security offers a unique, affordable end-to-end program that can be ramped up quickly and integrates smoothly with your existing workflows. We can also help you strategize creating your own program or improving current processes.
Schedule time to brainstorm with a vendor risk management expert